[pve-access-control.git] / PVE / CLI / pveum.pm

package PVE::CLI::pveum;

use strict;
use warnings;

use PVE::AccessControl;
use PVE::RPCEnvironment;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::API2::AccessControl;
use PVE::CLIFormatter;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
use PVE::PTY;
use PVE::RESTHandler;
use PVE::Tools qw(extract_param);

use base qw(PVE::CLIHandler);

sub setup_environment {
    PVE::RPCEnvironment->setup_default_cli_env();
}

sub param_mapping {
    my ($name) = @_;

    my $mapping = {
	'change_password' => [
	    PVE::CLIHandler::get_standard_mapping('pve-password'),
	],
	'create_ticket' => [
	    PVE::CLIHandler::get_standard_mapping('pve-password', {
		func => sub {
		    # do not accept values given on cmdline
		    return PVE::PTY::read_password('Enter password: ');
		},
	    }),
	]
    };

    return $mapping->{$name};
}

my $print_api_result = sub {
    my ($data, $schema, $options) = @_;
    PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
};

my $print_perm_result = sub {
    my ($data, $schema, $options) = @_;

    if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
	my $table_schema = {
	    type => 'array',
	    items => {
		type => 'object',
		properties => {
		    'path' => { type => 'string', title => 'ACL path' },
		    'permissions' => { type => 'string', title => 'Permissions' },
		},
	    },
	};
	my $table_data = [];
	foreach my $path (sort keys %$data) {
	    my $value = '';
	    my $curr = $data->{$path};
	    foreach my $perm (sort keys %$curr) {
		$value .= "\n" if $value;
		$value .= $perm;
		$value .= " (*)" if $curr->{$perm};
	    }
	    push @$table_data, { path => $path, permissions => $value };
	}
	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
    } else {
	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
    }
};

__PACKAGE__->register_method({
    name => 'token_permissions',
    path => 'token_permissions',
    method => 'GET',
    description => 'Retrieve effective permissions of given token.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid'),
	    tokenid => get_standard_option('token-subid'),
	    path => get_standard_option('acl-path', {
		description => "Only dump this specific path, not the whole tree.",
		optional => 1,
	    }),
	},
    },
    returns => {
	type => 'object',
	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
    },
    code => sub {
	my ($param) = @_;

	my $token_subid = extract_param($param, "tokenid");
	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);

	return PVE::API2::AccessControl->permissions($param);
    }});

our $cmddef = {
    user => {
	add    => [ 'PVE::API2::User', 'create_user', ['userid'] ],
	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
	list   => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
	token => {
	    add    => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    modify    => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    remove    => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    list   => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	    permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
	}
    },
    group => {
	add    => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
	modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
	delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
	list   => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    role => {
	add    => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
	modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
	delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
	list   => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    acl => {
	modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
	delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
	list   => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
		sub {
		    my ($res) = @_;
		    print "$res->{ticket}\n";
		}],

    passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],

    useradd => { alias => 'user add' },
    usermod => { alias => 'user modify' },
    userdel => { alias => 'user delete' },

    groupadd => { alias => 'group add' },
    groupmod => { alias => 'group modify' },
    groupdel => { alias => 'group delete' },

    roleadd => { alias => 'role add' },
    rolemod => { alias => 'role modify' },
    roledel => { alias => 'role delete' },

    aclmod => { alias => 'acl modify' },
    acldel => { alias => 'acl delete' },
};

1;
Commit	Line	Data
09281ad7 DM	1	package PVE::CLI::pveum;
	2
	3	use strict;
	4	use warnings;
042eaa3d	5
66d1b615	6	use PVE::AccessControl;
09281ad7 DM	7	use PVE::RPCEnvironment;
	8	use PVE::API2::User;
	9	use PVE::API2::Group;
	10	use PVE::API2::Role;
	11	use PVE::API2::ACL;
	12	use PVE::API2::AccessControl;
369851ac	13	use PVE::CLIFormatter;
09281ad7	14	use PVE::CLIHandler;
66d1b615	15	use PVE::JSONSchema qw(get_standard_option);
b34d76e7	16	use PVE::PTY;
369851ac	17	use PVE::RESTHandler;
66d1b615	18	use PVE::Tools qw(extract_param);
09281ad7 DM	19
	20	use base qw(PVE::CLIHandler);
	21
e623414a DM	22	sub setup_environment {
	23	PVE::RPCEnvironment->setup_default_cli_env();
	24	}
	25
b34d76e7 DC	26	sub param_mapping {
b34d76e7 DC	27	my ($name) = @_;
98007830	28
b34d76e7 DC	29	my $mapping = {
	30	'change_password' => [
	31	PVE::CLIHandler::get_standard_mapping('pve-password'),
	32	],
	33	'create_ticket' => [
	34	PVE::CLIHandler::get_standard_mapping('pve-password', {
	35	func => sub {
	36	# do not accept values given on cmdline
	37	return PVE::PTY::read_password('Enter password: ');
	38	},
	39	}),
	40	]
	41	};
	42
	43	return $mapping->{$name};
98007830 DM	44	}
98007830 DM	45
369851ac FG	46	my $print_api_result = sub {
	47	my ($data, $schema, $options) = @_;
	48	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
	49	};
	50
66d1b615 FG	51	my $print_perm_result = sub {
	52	my ($data, $schema, $options) = @_;
	53
	54	if (!defined($options->{'output-format'}) \|\| $options->{'output-format'} eq 'text') {
	55	my $table_schema = {
	56	type => 'array',
	57	items => {
	58	type => 'object',
	59	properties => {
	60	'path' => { type => 'string', title => 'ACL path' },
	61	'permissions' => { type => 'string', title => 'Permissions' },
	62	},
	63	},
	64	};
	65	my $table_data = [];
	66	foreach my $path (sort keys %$data) {
	67	my $value = '';
	68	my $curr = $data->{$path};
	69	foreach my $perm (sort keys %$curr) {
	70	$value .= "\n" if $value;
	71	$value .= $perm;
	72	$value .= " (*)" if $curr->{$perm};
	73	}
	74	push @$table_data, { path => $path, permissions => $value };
	75	}
	76	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
	77	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
	78	} else {
	79	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
	80	}
	81	};
	82
	83	__PACKAGE__->register_method({
	84	name => 'token_permissions',
	85	path => 'token_permissions',
	86	method => 'GET',
	87	description => 'Retrieve effective permissions of given token.',
	88	parameters => {
	89	additionalProperties => 0,
	90	properties => {
	91	userid => get_standard_option('userid'),
	92	tokenid => get_standard_option('token-subid'),
	93	path => get_standard_option('acl-path', {
	94	description => "Only dump this specific path, not the whole tree.",
	95	optional => 1,
	96	}),
	97	},
	98	},
	99	returns => {
	100	type => 'object',
	101	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
	102	},
	103	code => sub {
	104	my ($param) = @_;
	105
	106	my $token_subid = extract_param($param, "tokenid");
	107	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
	108
	109	return PVE::API2::AccessControl->permissions($param);
	110	}});
	111
09281ad7	112	our $cmddef = {
1e41cdc9 PA	113	user => {
	114	add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
	115	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
	116	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
369851ac	117	list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
66d1b615	118	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
084c149a FG	119	token => {
084c149a FG	120	add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
ccaecac1	121	modify => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
084c149a FG	122	remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
084c149a FG	123	list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
66d1b615	124	permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
084c149a	125	}
1e41cdc9 PA	126	},
	127	group => {
	128	add => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
	129	modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
	130	delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
369851ac	131	list => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9 PA	132	},
	133	role => {
	134	add => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
	135	modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
	136	delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
369851ac	137	list => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9 PA	138	},
	139	acl => {
	140	modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
	141	delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
369851ac	142	list => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9	143	},
09281ad7 DM	144	ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
	145	sub {
	146	my ($res) = @_;
	147	print "$res->{ticket}\n";
	148	}],
	149
765305e2	150	passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
09281ad7	151
1e41cdc9 PA	152	useradd => { alias => 'user add' },
	153	usermod => { alias => 'user modify' },
	154	userdel => { alias => 'user delete' },
09281ad7	155
1e41cdc9 PA	156	groupadd => { alias => 'group add' },
	157	groupmod => { alias => 'group modify' },
	158	groupdel => { alias => 'group delete' },
09281ad7	159
1e41cdc9 PA	160	roleadd => { alias => 'role add' },
	161	rolemod => { alias => 'role modify' },
	162	roledel => { alias => 'role delete' },
09281ad7	163
1e41cdc9 PA	164	aclmod => { alias => 'acl modify' },
1e41cdc9 PA	165	acldel => { alias => 'acl delete' },
09281ad7 DM	166	};
	167
	168	1;